Search This Blog

Hacking iPhone

Hey, there i have been working around for you guys so hard and you are,

Not even subscribing to my posts.

It hurts direct in my heart.

So,Lets start with some basics do you can understand the way i do.

Basics

As with most handheld devices,

The iPhone has a locking mechanism to protect the device’s data.

This locking mechanism can be manually invoked, but is more frequently invoked by an “Auto-Lock” feature. The “Auto-Lock” feature will wait for the phone to be idle for a user defined number of minutes before automatically invoking the locking mechanism.

When the device is in the locked and powered on state, the data on it cannot be accessed via iTunes or any other means. Once the iPhone is in a locked state, the user must enter a pass code to access the device. This prevents against data theft in a scenario where the device is lost or stolen. The pass code is normally 4 digits long, which may be susceptible to brute force attacks given enough time and patience. There is also a delay after a certain number of incorrect attempts.

Finally, the device can wipe its memory if the lockout threshold is reached which would probably end up deterring most attackers. The locking mechanism can also be set to use a more complex password containing any combination of letters, numbers or symbols. This can be done using the iPhone Configuration Utility freely available from Apple (http://www.apple.com/support/iphone/enterprise/).

Keychain

The Keychain The keychain is a SQLite database stored in the /private/var/Keychains/keychain-2.db file on the iPhone. It stores the passwords used on the device, including any passwords used for email accounts. As of firmware version 2.2(?), the device pass code is also stored within this keychain file.

Our Hacking Tool

is a closed-source, Windows-based tool for jail breaking the iPhone released by the iPhone Development team and poorlad.

What makes QuickPwn unique is the method it uses to write data to the iPhone. Normally, when an iPhone is reflashed using iTunes, all data on the device is lost.

QuickPwn uses a different method which preserves all data except the data it is explicitly told to overwrite. QuickPwn was written so iPhone owners can easily jail break their iPhone with limited technical savvy.

Bypassing the Pass code

Let’s start to put all of this information together. We know that the pass code is stored within the keychain.

If we can overwrite the keychain with one that doesn’t contain a pass code, we may be allowed to bypass the pass code protecting the device (because it doesn’t exist after we overwrite it!).

We also know that if we put the phone in DFU mode, we can overwrite data on the phone, and if we use QuickPwn, we can selectively overwrite only particular data. So, using a customized QuickPwn package, we can overwrite the keychain and effectively bypass the pass code.

Result Once we bypass the pass code, all locally stored data (photos, emails, contacts, notes, etc...) is accessible.

Remember, the keychain also stores the passwords for other applications.

This means that if we overwrite the keychain file, we will have to re-input all passwords for applications which use the keychain. During testing, I was able to access all locally stored emails (including exchange accounts, etc...),

but could not send or receive any new emails because I did not have the password stored in my keychain. As I discovered later on, it is possible to simply move the keychain then access it at a later date.

his process was detailed on http://www.zdziarski.com/ To bypass the pass code in v2.2, all one needs to do is move the keychain out of the way, then reboot.

mv /private/var/Keychains/keychain-2.db / This preserves the suspect's keychain, resets the pass code, and also temporarily disables any account passwords from the device so that the suspect's accounts won't be accessed by the iPhone, further preserving the file system.

To restore all accounts, move the old keychain file back and reboot. You can manually remove the pass code lock from the keychain by deleting its record with sqlite3: delete from genp where acct = "DeviceLockPassword"; The process described below will only work on iPhone 3G devices. However, the process can be modified to work with other models.

NOTE : No testing was performed on firmware versions besides 2.2.1. Since firmware 2.2 was first to store the pass code in the keychain, this exact sequence will not work on previous versions. However, the previous versions can be easily changed by modifying the settings file which enables the lock functionality as described in Jonathan Zdziarski’s webinar.

Procedure

Test Environment Testing was performed using a jail broken iPhone 3G 8GB (Phone A - which is used as our testing phone) and a stock, non-jail broken iPhone 3G 16GB (Phone B - which is our target phone). Phone B was set up with an Exchange email account, and various personal data (notes, pictures, etc.).

Additionally, Phone B was configured with a pass code. The goal of the testing was to retrieve all of this data from Phone B without knowledge of the pass code. The other hardware used was a laptop running Windows XP with iTunes 8, and an Ubuntu Linux VM.

Copying the Keychain Phone A (test phone, previously jail broken using QuickPwn) was configured with a pass code then accessed remotely via SSH. The keychain was compressed with permissions intact:

To access the actually QuickPwn executable and data follow these steps:

1. Double click QuickPwn.exe

2. While QuickPwn.exe is running, go to Start -> Run and type %TEMP%

3. Look for the RarSFXN (where N is a number, this value changes per computer) directory or the last directory created . A look into this directory should reveal that it contains QuickPwn.exe and a number of additional files and directories. This is the QucikPwn application.

4. Copy this entire directory to a new location. In the example below, I have copied the directory to C:\RarSFX1.

5. Close the QuickPwn application.

Your directory should look similar to the screenshot below:

Modifying Cydia, Cydia is a package manager for applications written to run on jail broken iPhones.

It’s normally installed when you use QuickPwn to jail break a phone.

In order to bypass the pass code on Phone B, we’ll add the Keychain copied from Phone A and integrate it into the Cydia package.

This ensures the Keychain is installed on Phone B during the jail break process with QuickPwn.

The command on line 4 is to verify that Keychain.tar decompressed properly and the keychain-2.db file exists with proper permissions. Now use WinSCP to copy your newly created Cydia.tar.gz from the Linux VM to the Windows system and replace the

C:\RarSFX1\Data\Cydia.tar.gz

file with it.

Modifying QuickPwn Next, QuickPwn must be modified so it won’t run its checks to ensure the device is connected properly when it first launches. We do this because Phone B is locked so it will not register properly with QuickPwn.

6. Go to Tools -> Reflexil v0.9 to load the Add-In. You should see the Reflexil pane open in the right of the Reflector window

7. In the Reflexil pane on the bottom right, highlight all instructions except the last (opcode: ret). Right click and delete all the lines thus removing the splash screen display code.

8. Now for the good stuff! In the left hand pane of .Net Reflector expand QuickPwn -> QuickPwn.exe -> { } QuickPwn -> frmStartup and double click "picNext_Click(Object, EventArgs): Void". This is the function for the startup form which activated the Next button.

9. In the Reflexil pane on the bottom right, go down to instruction 09, right click -> edit and change the opcode from "brfalse.s" to "brtrue.s"